Nextiva / Blog / Customer Experience

Customer Experience (CX) Customer Experience October 21, 2024

How to Maintain PCI Compliance in Your Contact Center

Contact Center PCI Compliance
The repercussions of falling behind on contact center PCI compliance are serious. This guide walks you through how to be PCI compliant.
Dominic Kent
Author

Dominic Kent

Contact Center PCI Compliance

The repercussions of falling behind on contact center PCI compliance don’t bear thinking about. Businesses, small and large, have seen firsthand what happens if you stray outside of the guidelines.

If the sound of a $229m fine, like the one British Airways received in 2017, for storing credit card details is something you’d rather avoid, read on to learn how to keep your contact center above board.

What Is PCI Compliance?

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards established by the PCI Security Standards Council to ensure that organizations handling cardholder data maintain secure environments.

Most credit card processing companies require full compliance; otherwise, you risk higher processing fees, slower settlements, and even cancellation. 

To comply with PCI DSS, contact center agents and any over-the-phone payment handlers must:

There are four levels of PCI DSS your contact center may be subject to that relate to the number of card transactions you process each year:

  • PCI Level 1: six million transactions or more
  • PCI Level 2: one to six million transactions
  • PCI Level 3: 20,000 to one million transactions
  • PCI Level 4: under 20,000 transactions

Like any contact center compliance, failing to adhere to the guidelines results in a penalty. The most common penalty for PCI DSS is a fine. Depending on the size of your business and the number of transactions processed per year, this can range from $5,000 to $100,000. 

It’s important to know, however, that this amount doesn’t include potential court or settlement fees. In 2013, Target was fined but also ordered to pay $18.5 million in settlements and $202 million in legal charges.

YouTube Video

Which Contact Centers Need PCI Compliance?

Handle Secure Payments In Contact Centers – Nextiva

Any contact center that accepts, transmits, or stores credit card information must meet PCI DSS requirements, including:

  • Inbound call centers where customers provide payment details over the phone
  • Outbound call centers where agents collect payments
  • Contact centers that process online payments through a web portal integrated with the phone system

No matter where a call originates or is completed, you must abide by the guidelines of PCI DSS. Likewise, any online payment received inside your contact center must be in accordance with these guidelines. 

How to Maintain PCI Compliance (Step by Step)

To handle secure payments in your contact center, you need to put a few things in place. Some of these items are your responsibility, and some could and should be taken care of by your contact center software provider.

1. Implementing access controls

Ensure that your contact center vendor assigns unique IDs and strong passwords for all agents — crucial for security and accountability.

Avoid shared logins, as they make it difficult to trace actions to specific individuals if issues arise. Implement the least privilege principle based on job roles. For example, credit collection agents need payment system access, while sales agents typically don’t.

Regularly review and update access privileges, especially when agents change roles. A quarterly review with supervisors is recommended.

Note: While access controls are vital, they don’t prevent all human errors. For instance, if an agent uses a personal device or public network for payments, it’s a separate disciplinary issue. Address such scenarios through specific policies and training.

2. Securing your network

Does the contact center vendor you’re looking at maintain their firewalls and intrusion detection systems? If not, you need to look elsewhere.

When it comes to hardware and software, the ultimate responsibility rests with you. But there’s only much you can do when the systems don’t belong to you. Here, your role changes to ensuring you choose a contact center vendor that will keep you safe.

Inside your network, you can segment to isolate the environment handling cardholder data. By partitioning private VLANs for voice traffic, you reduce the risk of data leakage. Privatizing voice traffic for those departments or agents with permissions to take payments is another step toward increased security.

Make sure you use strong encryption for data transmission and storage. HTTPS is the recommended protocol for sending data between web servers and browsers.

3. Protecting cardholder information

The ultimate rule is to only store full credit card numbers if absolutely necessary, and any consideration of necessity should be highly qualified. There must be a valid legal, commercial, or regulatory need. If you’re storing partial payment data, ensure strong encryption: 256-bit is the minimum encryption level recommended.

In every other case, you’re best protecting your business by deleting (or not storing in the first place) all cardholder data. One effective way to achieve this is by masking the numbers displayed on agents’ screens. 

Screenshot showing masking cardholder data (masking the card number or payment info displayed on agents’ screens)

Even though agents can still access necessary account information like account numbers and addresses, all sensitive card data, including card numbers and CVV codes, are hidden or replaced with asterisks or other symbols.

Masking or hiding this sensitive data prevents it from being stored or retained within your system. This reduces the risk of data breaches and unauthorized access, as there’s no sensitive cardholder data to steal in the first place.

4. Regularly updating and patching systems

You must ask your contact center vendor to regularly patch and update their software. Old, unmaintained code and software expose your business to vulnerabilities and malware.

Implement a system between you and your vendor for timely application and operating system updates. If vulnerabilities do arise, patch them promptly to address security risks. The best contact center vendors will do this automatically and communicate with you before you’re even aware of a vulnerability being present. 

As an extra layer of security, conduct regular internal vulnerability scans and penetration testing to ensure the protection of your customer data and agent-accessed network components.

5. Maintaining security policies

The easiest way to adhere to call center PCI compliance is to create a formal but simple-to-follow checklist for agents, supervisors, and managers.

As an extension of your core information security policy, each item on your PCI checklist must map to a specific PCI DSS requirement. Every task on the checklist must have an owner who is responsible. Each task must also have a clear timeline or deadline to protect you from falling behind on data cleansing or deleting.

Here is a neat example of a PCI DSS compliance checklist created by Sprinto from which you can take inspiration.

Complete-PCI-DSS-Compliance-checklist

You can also schedule reviews to update the checklist to reflect changes in processes, systems, or guidelines.

6. Monitoring and testing systems

As with any technology that sits atop your secure network, it’s important to continuously monitor network activity for suspicious behavior. If something arises, patching, documenting, and communicating are just as critical.

As well as conducting physical audits for software and network issues, take time to conduct internal audits to assess PCI DSS compliance procedures. Observing agent behavior when dealing with real-time transactions and using call recording systems can be enlightening.

Adding a line to “Check for PCI compliance” to your quality assurance process is an easy checkbox exercise that can help keep your business secure.

You could even take this a step further. This may be over the top for small businesses, but you could explore engaging an annual external PCI DSS audit by a Qualified Security Assessor.

Additional Considerations for PCI Compliance

In addition to the above six steps for keeping your business on track with PCI compliance, below are some things to consider to boost your security and compliance.

Data minimization

You must collect, store, and transmit only the minimum payment card information necessary.

While it’s impossible to totally ignore this data when receiving payments online or over the phone, you should only capture the bare minimum information needed. The more data you collect and store, the higher the risk of non-adherence.

Collecting the minimum payment card information necessary
DLP-based workflow functions

Incident response

What happens next is vital if the worst-case scenario happens and you suffer a data breach.

Spend time with your information security team (or consult externally) to create a plan for identifying, containing, and recovering from data breaches. Being exposed is not automatically the end of the world. But if you don’t act responsibly and quickly, it could become a disaster.

Payment gateway security

One of the first steps to ensuring PCI compliance in your contact center is checking whether your payment gateway partner is PCI compliant. This partner might be a third-party service provider or integrated into your contact center or call center software. If they don’t support or enable PCI compliance, it’s a non-starter and you must look elsewhere.

Choose a Reliable, PCI-Compliant Partner like Nextiva

If you take payments in your contact center, maintaining PCI compliance is one of the most important factors to get right. You will be able to spend time on projects that grow the business, improve productivity, and engage employees.

If you get it wrong, you’ll be fined, creating a reputation of ignorance, vulnerability, and risk. You’ll lose customer trust, and even the most loyal customers will seek an alternative provider.

On the technology side, choosing a compliant vendor relieves the potential headache of processing payments and worrying about data retention. While the actual payments are still processed by credit card companies, they happen in your agent UI. 

If your agents don’t see the numbers input during payment, and your contact center software allows for self-input, the risk of human error in data entry is reduced. However, data is still being stored and potentially transferred within your system. Make sure your contact center software has robust security measures to protect sensitive payment information throughout the process.

Nextiva is the go-to partner if you’re looking for a robust, easy-to-use contact center platform that’s PCI-compliant.

It’s PCI-certified and ensures privacy during transactions by connecting customers with secure payment processing over IVR. Customers input their card details via touch-tone (DTMF), and the call is returned to an agent once the payment is complete.

Secure payment processing over IVR workflow chart.
Secure payment processing over IVR flow chart

Agents can see that the customer is progressing through the payment process but have no physical access to card numbers or other sensitive customer data or information. 

This process helps you maintain a positive customer experience and protects your business from fines and reputational damage.

Need to protect your business from data breaches? 👇

Nextiva Payment Assist

Elevate customer trust and avoid massive fines with secure payment agent assist. PCI-certified payments made easy.

See Nextiva in action.
Quick, on-demand demos.